The first principle according to ACPO (Association of Chief Police Officers) in the UK is “No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court” (ACPO, p4). This principle which is applied and used by forensic investigators in the world requires the investigators to pay more attention when dealing with data stored in computer storage media. Once it is changed, the next phases of examination will be considered weak and doubt, even the results of examination could be rejected by court. However the changes are still allowed when the investigators can know exactly their actions and its implications such as when performing live imaging.

In order to accommodate this principle, the investigators apply write protect during their examination process, particularly when making forensic imaging at the first time. This write protect can be in the form of either software or hardware. In Ms Windows OS, there are many forensically sound write protect tools offered to users. Most of them are commercial. Write protect is also available on Ubuntu, but this is for free. We just make a little modification on fstab file to configure Ubuntu machine becomes forensically sound write protect. This journal discusses about it including the experiments performed and the results obtained.

Experiments Preparation

The 4GB flash disk is used as the object of these experiments. It is set up by using GParted in order to configure the partition, so that it has 4 partitions with different file systems. Below is the specification of each partition with the operating system installed within it by using Unetbootin.

Partition 1: size=996.19 MB and file system of ntfs.
Partition 2: size=996.22 MB and file system of fat16 with BartPE as operating system.
Partition 3: size=996.19 MB and file system of ext2 with Helix 3.0 as operating system.
Partition 4: size=847.15 MB and file system of ext3 with Ubuntu 8.10 as operating system.

Particularly for partition 1, there is no OS installed in it because it is designed for storing files. This configuration is intended to make a condition of flash disk becomes closely similar with a real hard disk having some partitions with different file systems.

In dealing with computer crime, the forensic investigators are faced to volatile digital evidence which must be discovered as soon as possible because sooner it can be recovered, better the criminal investigators handle the case, even it can make the duty of the investigators become easy to locate and catch the perpetrators. There are many ways to carry out forensic investigation on cases of computer crime. Although there is a bunch of various different techniques for this purpose, essentially they have same goal, namely to recover the digital evidence, and then serve it for court.

There are two conditions in which the forensic investigators often deal with; they are forensic analysis under Microsoft Windows and under Linux OS such as Ubuntu. In this case, Ms Windows and Ubuntu have their own advantages and disadvantages regarding with computer forensic examination. In some extent, they have similarities, but in the other cases, they also have differences. This journal will describe the topic about “similarities and differences between Ubuntu and Ms Windows on forensic applications”. The descriptions also include practical samples of forensic tools in order to support the opinion.

Research Preparation

In order to run this research on the track, I make some experiments based on my experience in investigating the case of computer crime by setting up 4 GB flash disk as experimental object. I configure it to be 3 partitions by using Partition Editor application from Ubuntu. The first partition is FAT32 with the size of 1000 Mbyte in which I install Helix Forensics by using USB Startup Creator from Intrepid so that it becomes bootable flash disk to run Helix Forensics live, then I also put some files which have different file extensions such as pdf, doc, odt, ppt, jpg, odp and so on in different folders, some of these files are then deleted. The first partition becomes one of the objects of experiments. To be more focus on analysing, I limit the similarities in 5 points of view and differences in 3 points of view.

About Me

I have been working for Indonesian Police Forensic Laboratory Centre (Puslabfor Bareskrim Polri) since 1997. My current job is the Chief of Computer Forensic Sub-Department. I have core duties to handle digital forensic investigation and analysis on electronic and digital evidence. I am the pioneer of developing computer forensic capabilities at Puslabfor Bareskrim Polri which was started in around 2000. Last year, in 2012 I and my team successfully investigated and analyzed 488 items of evidence which came from 81 cases of computer crime and computer-related crime.
In 2012 I wrote a book with the title "Digital Forensic: Practical Guidelines for Forensic Investigation". Its contents is mostly from knowledge and science I got from joining the MSc in Forensic Informatics at the University of Strathclyde, in the UK in 2008/2009 through the Chevening Scholarships. In 2010, the British Council in Indonesia gave me a prestigious award as one of "The Super Six UK Alumni".